Day: February 6, 2018

We, the undersigned civil society groups and concerned individuals are alarmed by reports of 28 January 2018 of data leaks involving 220,000 registered organ donors. Media reports say the data leak also included MyKad numbers, home addresses and telephone numbers of donors/pledgers and their next of kin.

In September 2017, an online forum lowyat.net reported the data leak involving 46.2 million Malaysian mobile users – their personal details, MyKad numbers, addresses and mobile phone numbers. This massive data leak was said to have taken place over 2014 to 2016.

The leaks of such scale raise substantial concerns as to the extent of procedural flaws or security breaches in the system of data protection within government agencies and public sector corporations.

These breaches of security open wide the door for identity thefts and provide criminals with an ideal database to social engineer the perfect phishing attack against individuals whose intimate personal data have been exposed. These data leaks will have a far reaching impact on members of the public and the integrity of personal data held by government agencies and the private sector.

Despite the gravity of the situation, the Personal Data Protection Commission, the Malaysian Communications and Multimedia Commission and the Royal Malaysian Police have failed to offer any substantial remedy or action plan to address the leaks.

In both the cases set out earlier, we regret to note that organisations such as lowyat.net or members of the public who exposed the issue, have been censured, reprimanded and investigated. Concerned persons who have been vigilant and had the courage to expose such security breaches should be applauded and not reprimanded.

The extent of the data leaks are clear indications of the urgency to enforce and if necessary reform the Personal Data Protection Act (PDPA) 2010 to safeguard personal data in the digital realm. The relevant code of practice must be put in place immediately to strengthen protections and to prevent or mitigate future breaches. Punitive action needs to be taken against government agencies, corporations, organisations or individuals who fail to secure users’ private information in their possession.

Given the latest incident, it is high time that the PDPA is reviewed to cover Federal and State Governments and their agencies which collect, store and process user personal data. It is no longer acceptable that the Government and its agents are allowed to ignore the importance of data protection standards as they are also vulnerable to the threats of data breaches.

To this end, we, the undersigned civil society and concerned individuals call for:

1) A transparent investigation into the data leak;

2) All digital transactions to have the necessary and adequate security measures in place;

3) A policy and standard to be introduced to all Government agencies that handle personal data to ensure that the personal data processed are secure, safe and not open to abuse;

4) Relevant government agencies to be made accountable for data leaks in their departments or through their agents;

5) All harassment and investigation of journalists and individuals exposing the data leaks to cease;

6) Avenues (such as websites) to be introduced or allowed for individuals to check if their personal data had been compromised; and

7) Reform of the Personal Data Protection Act 2010 to include the Federal and State Governments